Solved – kb3045313 error 643 in windows server 2012R2


i found one of my server (windows server 2012R2) which contain symantec backup exec cannot install one update with kb3045313, it always show error 643.

so many failed status

after some research in the internet, i found that this problem come from .net framework as it describe in this article

after i installed the .net framework 3.5 , and then i reinstall the kb3045313.

And it succeeded as you can see in the picture above.

Solved – Windows Server 2008 R2 Update fails due to system-protected font – Tahomabd.ttf- KB4338818 or KB4343900


this problem has been consume my time for almost 1 month.

i have been trying to install kb 4343900 for many times on my windows server 2008 r2, but it always failed.
The server was virtual machine on VMware.
What i already do is :
– running the sfc /scannow but it looks normal no integrity violation found
– try install the kb manually but still failed.
– running the SFCFix but still not working

– reset the windows update component.

windows update log :

2018-08-23 16:20:46:999 868 b4c Handler Post-reboot status for package Package_for_RollupFix~31bf3856ad364e35~amd64~~7601.24214.1.5: 0x80070020.
2018-08-23 16:20:46:999 868 b4c Handler WARNING: Got extended error: “POQ Operation HardLinkFile OperationData \SystemRoot\WinSxS\amd64_microsoft-windows-font-truetype-tahoma_31bf3856ad364e35_6.1.7601.24145_none_8e5c4f96a47869ce\tahomabd.ttf, \??\C:\Windows\fonts\tahomabd.ttf”

after several troubleshoot workaround, i found that the tahomabd.ttf are lock the windows update process , and here are the workaround to solved it :

1) Use Process Explorer (Process Explorer – Windows Sysinternals | Microsoft Docs) to search for handles currently using “tahoma” or “staticcache.dat”. Please run this tools as administrator.
2) Temporarily disable or uninstall the above handles (programs/processes) that are using “tahoma” or “staticcache.dat” (for my case, manage engine service desk lock the tahoma font. Disable the manage engine services before install the KB).

3) Install KB4343900.

4) restart the server

5) Update Success, Re-enable manage engine services.


Source :

Source 1

Source 2 – my thread on

Windows 2012R2 Server does not connect to WSUS server 2008r2 (Error 800B001)

Hi All,

if you have problem like me

which is WSUS server on OS windows server 2008r2 and have client with OS windows

server 2012R2 that doesn’t connect to the WSUS with error code 800B001

You need to install below KB , and then restart the server

After server going up and then test the update on client.

Hope it will solved your problem just like me 🙂

I found this workaround on this site :



Troubleshooting – WSUS “Duplicate SID from IMAGE Deployment”

If the client have duplicate SID, it’s make computers not showing in the wsus console.

The duplicate SID are came from Image base deployment .

If you generalize the image using sysprep this issue will not show.

You can run below scipt in the client that not detected in WSUS console.

Save below script as bat file, and run the file using administrative account.

net stop wuauserv
REG DELETE “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v AccountDomainSid /f
REG DELETE “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v PingID /f
REG DELETE “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate” /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow

Credit to original script creator.

WSUS – KB972493 reports needed unnecessarily

WSUS Server may report that some clients (Windows Server 2008R2) need the update “Windows Server Manager – Windows Server Update Services (WSUS Dynamic Installer (KB972493).” The clients not detect that, they need this update but the WSUS server label the client as needing the update regardless.

And this is the option for solved that :

1) Decline the update in WSUS for all groups. But you must make sure this update already installed on your WSUS Servers. This will make all server clean without notification that show the server needed that update.

2) Setup a separate group in WSUS for just your WSUS servers. Approve the update for the WSUS Servers group and not the other servers.

If seeing “Install (1/5)” in WSUS irritates you and makes using WSUS more difficult like it does me, pick option #1 like I have. You’ll know when WSUS SP3 comes out because WSUS will present it as a new update for you to Approve, Decline, etc. When you see this, go update your WSUS servers.

(Option 3 is to install the WSUS role on all your 2008 servers – not sensible and not recommended.)

Reference link